mirror of
https://github.com/discourse/discourse.git
synced 2025-01-21 09:06:33 +08:00
SECURITY: Don't allow base_uri as embeddable host if none exist
This commit is contained in:
parent
fd0bb34001
commit
cd20d0fdfd
|
@ -44,7 +44,7 @@ class EmbeddableHost < ActiveRecord::Base
|
||||||
|
|
||||||
def self.url_allowed?(url)
|
def self.url_allowed?(url)
|
||||||
# Work around IFRAME reload on WebKit where the referer will be set to the Forum URL
|
# Work around IFRAME reload on WebKit where the referer will be set to the Forum URL
|
||||||
return true if url&.starts_with?(Discourse.base_url)
|
return true if url&.starts_with?(Discourse.base_url) && EmbeddableHost.exists?
|
||||||
|
|
||||||
uri = begin
|
uri = begin
|
||||||
URI(UrlHelper.escape_uri(url))
|
URI(UrlHelper.escape_uri(url))
|
||||||
|
|
|
@ -65,6 +65,10 @@ describe EmbeddableHost do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "doesn't allow forum own URL if no hosts exist" do
|
||||||
|
expect(EmbeddableHost.url_allowed?(Discourse.base_url)).to eq(false)
|
||||||
|
end
|
||||||
|
|
||||||
describe "url_allowed?" do
|
describe "url_allowed?" do
|
||||||
fab!(:host) { Fabricate(:embeddable_host) }
|
fab!(:host) { Fabricate(:embeddable_host) }
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user